The confidentiality of taxpayer information is a cornerstone of the American tax system. Ensuring that taxpayer data remains secure and private is critical for maintaining trust between citizens and the Internal Revenue Service (IRS). The Taxpayer Data Protection Act (H.R. 8292), introduced by House Ways and Means Chair Jason Smith (R-MO), seeks to rehabilitate this trust by significantly increasing the penalties for unauthorized disclosures of taxpayer information.
Under current law, specifically 26 U.S.C. § 7213 of the Internal Revenue Code, unauthorized disclosure of tax return information is a felony punishable by a fine of up to $5,000, imprisonment for up to five years, or both. The Taxpayer Data Protection Act aims to amend these provisions to impose harsher penalties.
The urgency for this legislative change stems from a significant breach that took place in 2019. An IRS contractor, Charles Littlejohn, illegally accessed and leaked the confidential records of thousands of taxpayers to the New York Times and ProPublica. These organizations published articles based on this confidential tax information, targeting thousands of American taxpayers.
This breach raises serious questions about the IRS's ability to safeguard sensitive data and the adequacy of current penalties to deter such misconduct. Only in April 2024, did the IRS begin notifying the more than 70,000 companies and individuals impacted by Littlejohn’s criminal conduct by mailing brief victim notification letters outlining what Littlejohn had done and their rights as victims. As early as September 2020, the House Committee on Ways and Means initiated inquiries seeking answers from federal investigators about the failure to protect taxpayer data. Despite these efforts, ProPublica continued to publish articles based on stolen information, intensifying concerns.
In September 2023, the U.S. Department of Justice (DOJ) charged Littlejohn with one count of unauthorized disclosure of tax return information. Committee Republicans expressed dissatisfaction with the DOJ's decision to pursue only a single count despite the case involving two separate thefts and thousands of victims. They urged the presiding judge to impose the maximum sentence under current law. Ultimately, the judge sentenced Littlejohn to five years in prison and a $5,000 fine; Littlejohn is currently appealing his sentence.
The Taxpayer Data Protection Act proposes crucial amendments to 26 U.S.C. § 7213(a). Here are the key changes:
Increased Penalties: The maximum fine for unauthorized disclosure would increase from $5,000 to $250,000. The maximum imprisonment term would also double from five years to ten years. These adjustments align the penalties with those specified in 18 U.S.C. § 3571, reflecting the gravity of the offense.
Distinct Violations for Each Affected Taxpayer: The bill clarifies that each unauthorized disclosure affecting multiple taxpayers will be treated as separate and distinct violations. This provision ensures that penalties are appropriately scaled to the extent of the breach.
The bill passed the House Ways and Means Committee on May 15 with overwhelming support, voting 40-1 in favor. This strong backing underscores the bipartisan recognition of the need to enhance the protection of taxpayer data.
The Taxpayer Data Protection Act represents a significant step towards properly safeguarding the security of taxpayer information. By increasing the penalties for unauthorized disclosures and ensuring that each violation is adequately punished, the bill aims to restore confidence in the IRS's ability to protect sensitive data. The IRS and the contractors it works with are granted extraordinary powers by American taxpayers — betrayal of this trust deserves more than a slap on the wrist.